Cybersecurity


Carnival Cruise

NYDFS penalizes Carnival $5M for cybersecurity failures

2022-06-27T16:18:00+01:00By

The New York State Department of Financial Services announced a $5 million penalty against Carnival Corp. for “significant” cybersecurity failures, including not implementing basic protocols to prevent four separate data breaches from 2019-21.

Carnival

Carnival reaches $1.25M settlement over 2019 data breach

2022-06-23T19:33:00+01:00By

Carnival Cruise Line reached a $1.25 million settlement with 46 attorneys general stemming from its 2019 data breach that involved the personal information of 180,000 Carnival employees and customers nationwide.

TPRM2022 Linda Tuck Chapman

Five prevailing themes from TPRM Summit

2022-06-17T21:56:00+01:00By

Editor In Chief Kyle Brasseur recaps popular points of discussion across Compliance Week’s two-day Third-Party Risk Management Summit held in Chicago.

300x200 logo

Webcast: Importance of adopting a cybersecurity risk management framework

2022-06-16T14:00:00+01:00Provided by

More and more commercial organizations are voluntarily adopting cybersecurity risk management frameworks like NIST CSF, COBIT, ISO, and others considering recent legislation, executive orders, and reporting requirements.

Cybersecurity offices

Survey: Cyber threats, remote work, financial pressures key ABC concerns for 2022

2022-06-15T19:06:00+01:00By Adrianne Appel

Compliance programs globally expect to shoulder more responsibilities in 2022, according to Kroll’s latest Anti-Bribery and Corruption Benchmarking Report.

CW2022 SEC commissioners

SEC commissioners address CCO liability, crypto regulation, more at CW2022

2022-05-17T17:15:00+01:00By

Two SEC commissioners from opposite sides of the political aisle took slightly different positions on how to assess the liability of poor performing chief compliance officers as part of the Day 2 opening keynote at Compliance Week’s National Conference.

Crypto

SEC to increase staffing around crypto asset-related investigations

2022-05-03T15:05:00+01:00By

The Securities and Exchange Commission announced plans to nearly double the number of employees assigned to its Cyber Unit, which has had its name changed to emphasize the agency’s pursuit of crypto asset-related investigations.

15019_processunity300x200_662860

CPE Webcast: Cybersecurity and third-party risk: Third-party threat hunting

2022-05-03T14:00:00+01:00Provided by

Learn how to build a third-party risk management program with cybersecurity risk at the forefront.

quest300x200

CPE Webcast: The dangers of hidden email data

2022-04-25T14:00:00+01:00Provided by

Where is your unstructured data lurking? With a record number of cyberattacks and the introduction of robust privacy laws like the GDPR and CPRA, it’s time to discover your data.

14822_archive360300x200_647033

CPE Webcast: Data security 101 for compliance teams

2022-04-21T14:09:00+01:00Provided by

Compliance departments must be up to speed with emerging cybersecurity threats. This includes understanding the new technologies, processes, and procedures their organization will need to employ to ensure they don’t run afoul of the modern data privacy environment.

Rising data

AA study: Cybersecurity breach disclosures surge in 2021

2022-04-08T15:26:00+01:00By

The number of cybersecurity breaches disclosed by public companies in 2021 increased 44 percent while reports of ransomware attacks also surged, according to the latest Audit Analytics study.

Cash App

Cash App breached by former employee; 8.2M affected

2022-04-07T16:26:00+01:00By

Approximately 8.2 million U.S. customers of Cash App Investing have been notified of a data breach carried out by a former employee of the mobile payment service provider.

DiMauro_opinion

Q1 roundup: SEC tackles climate disclosures, businesses navigate Russia restrictions, more

2022-04-01T12:00:00+01:00By

Regulation and guidance from U.S. agencies and the White House, plus compliance challenges stemming from a two-year global pandemic and Russia’s ongoing invasion of Ukraine, made the first quarter of 2022 a novel risk environment for regulated businesses.

Data lock

Closing the data risk gap: How technology enables data protection

2022-03-31T13:00:00+01:00By

Legal and compliance teams ranked data privacy and cybersecurity threats the No. 1 biggest risk entering 2022. Further survey results reveal roadblocks to organizations’ proactive compliance.

Cyber

Ukrainian telecom victim of ‘powerful’ cyberattack

2022-03-29T16:13:00+01:00By

Ukrainian telecommunications company Ukrtelecom is in the process of restoring its services after a “powerful” cyberattack wreaked havoc on its operations.

AuditOpinionFeature

Five insights gleaned from PCAOB audit committee chair report

2022-03-28T15:19:00+01:00By

The Public Company Accounting Oversight Board published its annual report highlighting feedback received from its discussions with audit committee chairs at U.S. public companies during the previous year.

GDPR EU flag

How EU regulators are warning of Russian data protection threats

2022-03-21T13:45:00+00:00By

Regulators in Norway, Germany, Lithuania, Estonia, Denmark, and Sweden address how companies can prepare for increased data protection and cybersecurity risks in the wake of Russia’s invasion of Ukraine.

FTC seal

Former CafePress owner to pay $500K in FTC settlement over data breach

2022-03-16T19:17:00+00:00By

Residual Pumpkin Entity, the former owner of CafePress, must pay $500,000 in redress under a proposed settlement with the Federal Trade Commission addressing allegations CafePress failed to secure personal data and covered up a data breach.

Facebook Ireland

Meta fined $18.6M under GDPR for 2018 data breaches

2022-03-15T20:16:00+00:00By

The Irish Data Protection Commission fined Meta’s Irish subsidiary 17 million euros (U.S. $18.6 million) for a series of personal data breaches that took place nearly four years ago.

SEC

SEC proposes companies report cybersecurity incidents within four days

2022-03-09T23:04:00+00:00By

Public companies would have to report material cybersecurity incidents no later than four business days after they occur if a rule proposed by the Securities and Exchange Commission takes effect.

Allison Herren Lee and Hester Peirce

Top 10 reasons to attend Compliance Week 2022

2022-03-09T18:12:00+00:00By

A keynote with two SEC commissioners; interactive sessions on global sanctions, ESG, and ethical leadership; and a new conference location and format highlight Dave Lefort’s list of reasons to be excited for CW’s first in-person event in nearly three years.

Russian hacker

Steps for preparing for potential Russian cyberthreats

2022-03-03T21:45:00+00:00By

As the West seeks to isolate Russia, the country might retaliate with state-sponsored cyberattacks. Although Russia is suspected to have launched such attacks before, the scale and scope could be much bigger this time, experts warn.

Colonial Pipeline

Colonial Pipeline names first chief information security officer

2022-02-24T20:39:00+00:00By

More than nine months after being targeted by a ransomware attack, Colonial Pipeline has named Adam Tice as its first chief information security officer.

AuditResources

Audit committees rolling with punches of evolving role

2022-02-24T19:46:00+00:00By

Two prominent audit committee chairs speak to the results of a Deloitte Center for Board Effectiveness and Center for Audit Quality report on audit committee practices and the major issues audit committees face today.

DOJSeal

DOJ names head of crypto enforcement team

2022-02-18T19:26:00+00:00By

The Department of Justice named veteran prosecutor Eun Young Choi to serve as the first director of its newly created National Cryptocurrency Enforcement Team.

EyeOnDataPrivacy

Third-party cybersecurity monitoring: Tips for keeping vendors honest

2022-02-18T17:33:00+00:00By

A continuous monitoring cybersecurity strategy for third-party risks goes a long way toward proactively identifying external vulnerabilities. At CW’s virtual Cyber Risk & Data Privacy Summit, a panel of experts shared leading practices.

Business defense

Why high-growth companies should prioritize data privacy

2022-02-17T16:16:00+00:00By

A group of experts at CW’s virtual Cyber Risk & Data Privacy Summit explained how complying with data privacy regulations from Day 1 can provide high-growth companies with certain competitive advantages.

Cybersecurity

Best practices to achieve a continuous assurance cybersecurity model

2022-02-17T16:15:00+00:00By

A panel of cybersecurity experts shared tips for achieving continuous assurance and getting necessary buy-in at CW’s virtual Cyber Risk & Data Privacy Summit.

Cyber Risk Rachael Pashkevich Koontz

Company cybersecurity certifications: Business case and where to start

2022-02-16T18:15:00+00:00By

Rachael Pashkevich Koontz, senior corporate counsel of cybersecurity compliance at T-Mobile, shared her opinions on cybersecurity certifications and determining the right fit for certain organizations at CW’s virtual Cyber Risk & Data Privacy Summit.

Bitcoin security

DOJ arrests in Bitfinex case highlight inner workings of crypto laundering scheme

2022-02-09T17:48:00+00:00By

The Department of Justice arrested two individuals over an alleged conspiracy to launder approximately $4.5 billion worth of cryptocurrency stolen in the 2016 hack of digital asset trading platform Bitfinex.

Accor

How Accor manages global data privacy compliance

2022-02-09T13:37:00+00:00By

Marie-Christine Vittet, vice president of compliance at hospitality chain Accor, shares with Compliance Week the company’s journey toward a global data privacy compliance program.

OTE

Cosmote, parent company OTE fined $10.6M under GDPR

2022-02-08T18:13:00+00:00By

The Hellenic Data Protection Authority fined mobile phone operator Cosmote and its parent company OTE a total of €9.25 million (U.S. $10.6 million) for a data breach caused by a September 2020 cyberattack and for illegally processing customer data.

Ransomware Epilogue

Epilogue: What happened to Betsy?

2022-02-03T13:00:00+00:00By

The “patient zero” of fictional private utility company Vulnerable Electric’s ransomware crisis learns her fate.

Ransomware Chapter 4

Chapter 4: Recovery and lessons learned post-ransomware attack

2022-02-03T13:00:00+00:00By

Whether fictional private utility company Vulnerable Electric pays the ransom or not in the aftermath of its cyber incident, the two pathways quickly splinter off in different directions with varied endings, each with important lessons to be learned.

Ransomware Glossary

Ransomware case study glossary

2022-02-02T13:00:00+00:00By

The field of cybersecurity features a growing list of terminology to describe the many forms, channels, and motivations behind cyberattacks and hacking culture. Learn further definitions for some key terms featured throughout the ransomware case study.

Ransomware Chapter 3

Chapter 3: Ransomware eradication prompts tough choice: To pay or not to pay?

2022-02-02T13:00:00+00:00By

No matter what, the deck is stacked against fictional private utility company Vulnerable Electric as it weighs whether to pay the $5 million ransom demanded by a cybercriminal who breached its systems. Which path do you take?

Ransomware Chapter 2_2

Chapter 2, Part 2: Ransomware damage control and when to alert stakeholders

2022-02-01T13:00:00+00:00By

Systems at fictional private utility company Vulnerable Electric remain impacted in the aftermath of a ransomware attack, but the chief executive decides it’s time to be forthright with employees and customers.

Ransomware Chapter 2_1

Chapter 2, Part 1: Containment key to ransomware defense

2022-02-01T13:00:00+00:00By

With Day 2 of fictional private utility company Vulnerable Electric’s ransomware crisis comes the need to grasp the extent of its situation. The cyber incident response team’s synchronized efforts are pivotal as time is of the essence.

Ransomware Chapter 1_2

Chapter 1, Part 2: All hands on deck in C-suite ransomware response

2022-01-31T13:00:00+00:00By

Following the events that triggered a double extortion ransomware attack, the CEO of fictional private utility company Vulnerable Electric mobilizes her cyber incident response team to begin assessing the path forward to dealing with the cybercriminal(s).

Ransomware Chapter 1_1

Chapter 1, Part 1: Betsy’s human error triggers ransomware crisis

2022-01-31T13:00:00+00:00By

When one of fictional private utility company Vulnerable Electric’s most dedicated employees falls victim to a social engineering hack, her actions in the immediate aftermath are crucial to what will soon become a crisis for the C-suite.

Ransomware cover

CW case study offers 360-degree view of ransomware attack

2022-01-31T13:00:00+00:00By

Learn through the eyes of the C-suite at Vulnerable Electric, a fictional private utility company impacted by a significant ransomware attack, as part of Compliance Week’s third case study.

Water system

Biden plan to expand cybersecurity collaboration with water sector

2022-01-28T21:39:00+00:00By

The Biden administration announced an action plan to collaborate with owners and operators in the water sector to deploy technologies and systems that provide cyber-related threat visibility, indicators, detections, and warnings.

Cybersecurity

Gensler says SEC to consider new rules for cybersecurity, data privacy disclosures

2022-01-25T22:27:00+00:00By

The Securities and Exchange Commission is kicking the tires on new cybersecurity and data privacy disclosure requirements for investment companies, investment advisers, broker-dealers, and public companies, according to agency Chair Gary Gensler.

2022

NAVEX: Top 10 risk and compliance trends for 2022

2022-01-20T19:15:00+00:00By

Diversity, equity, and inclusion; prioritizing ESG; business continuity; and more highlight the latest edition of NAVEX’s annual list of risk and compliance trends worth monitoring.

/web/img/field/image/privacy.jpg

Report: GDPR fines surpass $1B in 2021; breach notifications also rise

2022-01-18T22:06:00+00:00By

Nearly €1.1 billion (U.S. $1.2 billion) worth of fines have been issued against organizations in the past year for violations of the General Data Protection Regulation, according to the latest annual report by law firm DLA Piper.

LockHoleNetwork

Accellion to pay $8.1M in proposed data breach settlement

2022-01-14T19:16:00+00:00By

The Accellion data breach that last year affected a variety of private- and public-sector organizations and compromised the personal data of millions of individuals could be resolved in an $8.1 million class-action settlement.

Morgan Stanley

Morgan Stanley agrees to $60M settlement over compromised personal data

2022-01-04T20:38:00+00:00By

Morgan Stanley has agreed to establish a $60 million fund to settle a class-action lawsuit filed by nearly a dozen customers regarding personal data that was compromised when the bank decommissioned two wealth management centers.

DiMauro_opinion

DiMauro: Seven compliance areas to watch in 2022

2021-12-29T17:26:00+00:00By

If 2021 was about transition under the Biden administration, 2022 is looking as if it will be a year of action. CW Director of Compliance Programs & Training Julie DiMauro shares her list of key areas she expects to receive enhanced scrutiny in the year ahead.

Desjardins

Desjardins reaches $155M proposed settlement in data breach class action

2021-12-20T19:48:00+00:00By

Desjardins Group has reached a proposed C$201 million (U.S. $155 million) settlement agreement in a class-action lawsuit following a long-running data breach that ultimately compromised the personal information of nearly 10 million individuals in Canada and abroad.

AuditInspectionFeature

Cybersecurity trends continue in 2021 audit committee transparency report

2021-12-20T19:17:00+00:00By

The most dramatic increase in audit committee disclosures in proxy statements for the second consecutive year was in responsibility for cybersecurity risk oversight, according to the latest report from the Center for Audit Quality and Audit Analytics.